nixos/akkoma: check that upload and media proxy base url is specified

new versions of akkoma require the upload base url to be specified in order for updates to work properly. this will be a breaking change in 24.05, but for now a reasonable default is set.
author: tcmal <me@aria.rip> 2024-03-30 19:14:37 +0000
committer: tcmal <me@aria.rip> 2024-04-12 23:53:19 +0100
commit: 343b319957f6a3a14848dc1dc7c7e001cee9579a (patch)
tree: aec2278eb3b11b65c24ac8aa7bc0a4457d9121a3
parent: akkoma: 3.11.0 -> 3.12.2 (diff)
download: nixpkgs-343b319957f6a3a14848dc1dc7c7e001cee9579a.tar.gz
2 files changed, 83 insertions, 25 deletions
diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix
index 8a8ed49115fd..ffbd2979440a 100644
--- a/nixos/modules/services/web-apps/akkoma.nix
+++ b/nixos/modules/services/web-apps/akkoma.nix
@@ -769,6 +769,21 @@ in {
                 };
               };
 
+              "Pleroma.Upload" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                base_url = mkOption {
+                    type = types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path which uploads will be stored at.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
               ":frontends" = mkOption {
                 type = elixirValue;
                 default = mapAttrs
@@ -786,6 +801,30 @@ in {
                   [{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends).
                 '';
               };
+
+
+              ":media_proxy" = let
+                httpConf = cfg.config.":pleroma"."Pleroma.Web.Endpoint".url;
+              in {
+                enabled = mkOption {
+                    type = types.bool;
+                    default = false;
+                    description = mdDoc ''
+                      Whether to enable proxying of remote media through the instance's proxy.
+                    '';
+                };
+                base_url = mkOption {
+                    type = types.nullOr types.nonEmptyStr;
+                    default = if lib.versionOlder config.system.stateVersion "24.05"
+                              then "${httpConf.scheme}://${httpConf.host}:${builtins.toString httpConf.port}/media/"
+                              else null;
+                    description = mdDoc ''
+                      Base path for the media proxy.
+                      Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.
+                    '';
+                };
+              };
+
             };
 
             ":web_push_encryption" = mkOption {
@@ -909,6 +948,9 @@ in {
   };
 
   config = mkIf cfg.enable {
+    assertions = optionals (cfg.config.":pleroma".":media_proxy".enabled && cfg.config.":pleroma".":media_proxy".base_url == null) [''
+      `services.akkoma.config.":pleroma".":media_proxy".base_url` must be set when the media proxy is enabled.
+    ''];
     warnings = optionals (with config.security; (!sudo.enable) && (!sudo-rs.enable)) [''
       The pleroma_ctl wrapper enabled by the installWrapper option relies on
       sudo, which appears to have been disabled through security.sudo.enable.
diff --git a/nixos/tests/akkoma.nix b/nixos/tests/akkoma.nix
index 287e2d485999..27597895fca6 100644
--- a/nixos/tests/akkoma.nix
+++ b/nixos/tests/akkoma.nix
@@ -1,12 +1,16 @@
 /*
-  End-to-end test for Akkoma.
+End-to-end test for Akkoma.
 
-  Based in part on nixos/tests/pleroma.
+Based in part on nixos/tests/pleroma.
 
-  TODO: Test federation.
+TODO: Test federation.
 */
-import ./make-test-python.nix ({ pkgs, package ? pkgs.akkoma, confined ? false, ... }:
-let
+import ./make-test-python.nix ({
+  pkgs,
+  package ? pkgs.akkoma,
+  confined ? false,
+  ...
+}: let
   userPassword = "4LKOrGo8SgbPm1a6NclVU5Wb";
 
   provisionUser = pkgs.writers.writeBashBin "provisionUser" ''
@@ -15,16 +19,17 @@ let
     pleroma_ctl user new jamy jamy@nixos.test --password '${userPassword}' --moderator --admin -y
   '';
 
-  tlsCert = pkgs.runCommand "selfSignedCerts" {
-    nativeBuildInputs = with pkgs; [ openssl ];
-  } ''
-    mkdir -p $out
-    openssl req -x509 \
-      -subj '/CN=akkoma.nixos.test/' -days 49710 \
-      -addext 'subjectAltName = DNS:akkoma.nixos.test' \
-      -keyout "$out/key.pem" -newkey ed25519 \
-      -out "$out/cert.pem" -noenc
-  '';
+  tlsCert =
+    pkgs.runCommand "selfSignedCerts" {
+      nativeBuildInputs = with pkgs; [openssl];
+    } ''
+      mkdir -p $out
+      openssl req -x509 \
+        -subj '/CN=akkoma.nixos.test/' -days 49710 \
+        -addext 'subjectAltName = DNS:akkoma.nixos.test' \
+        -keyout "$out/key.pem" -newkey ed25519 \
+        -out "$out/cert.pem" -noenc
+    '';
 
   sendToot = pkgs.writers.writeBashBin "sendToot" ''
     set -eu -o errtrace -o pipefail
@@ -40,7 +45,7 @@ let
 
     # Test file upload
     echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \
-      | grep -F -q "https://akkoma.nixos.test/media"
+      | grep -F -q "https://akkoma.nixos.test:443/media"
   '';
 
   checkFe = pkgs.writers.writeBashBin "checkFe" ''
@@ -59,19 +64,28 @@ let
     ${nodes.akkoma.networking.primaryIPAddress} akkoma.nixos.test
     ${nodes.client.networking.primaryIPAddress} client.nixos.test
   '';
-in
-{
+in {
   name = "akkoma";
   nodes = {
-    client = { nodes, pkgs, config, ... }: {
-      security.pki.certificateFiles = [ "${tlsCert}/cert.pem" ];
+    client = {
+      nodes,
+      pkgs,
+      config,
+      ...
+    }: {
+      security.pki.certificateFiles = ["${tlsCert}/cert.pem"];
       networking.extraHosts = hosts nodes;
     };
 
-    akkoma = { nodes, pkgs, config, ... }: {
+    akkoma = {
+      nodes,
+      pkgs,
+      config,
+      ...
+    }: {
       networking.extraHosts = hosts nodes;
-      networking.firewall.allowedTCPPorts = [ 443 ];
-      environment.systemPackages = with pkgs; [ provisionUser ];
+      networking.firewall.allowedTCPPorts = [443];
+      environment.systemPackages = with pkgs; [provisionUser];
       systemd.services.akkoma.confinement.enable = confined;
 
       services.akkoma = {
@@ -94,6 +108,9 @@ in
             "Pleroma.Web.Endpoint" = {
               url.host = "akkoma.nixos.test";
             };
+            "Pleroma.Upload" = {
+              base_url = "https://akkoma.nixos.test:443/media/";
+            };
           };
         };
 
@@ -109,7 +126,7 @@ in
     };
   };
 
-  testScript = { nodes, ... }: ''
+  testScript = {nodes, ...}: ''
     start_all()
     akkoma.wait_for_unit('akkoma-initdb.service')
     akkoma.systemctl('restart akkoma-initdb.service')  # test repeated initialisation
@@ -121,4 +138,3 @@ in
     client.succeed('${checkFe}/bin/checkFe')
   '';
 })
-
author	tcmal <me@aria.rip>	2024-03-30 19:14:37 +0000
committer	tcmal <me@aria.rip>	2024-04-12 23:53:19 +0100
commit	343b319957f6a3a14848dc1dc7c7e001cee9579a (patch)
tree	aec2278eb3b11b65c24ac8aa7bc0a4457d9121a3
parent	akkoma: 3.11.0 -> 3.12.2 (diff)
download	nixpkgs-343b319957f6a3a14848dc1dc7c7e001cee9579a.tar.gz